ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skills for finding a job on hh

v1.0.0

Search, evaluate, and manage job opportunities for a candidate across the Russian market with hh.ru, Habr Career, Telegram vacancy channels/chats, and Linked...

0· 83·0 current·0 all-time
byNikolay Kuznetsov@naxofon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included scripts: parsing Telegram posts, normalizing vacancies, scoring against a candidate profile, and automating hh.ru browser flows (raise resumes, auto-apply). That functionality is coherent with the stated purpose. However the registry metadata claims no required binaries while several scripts call an external 'openclaw' browser CLI and require Python packages (pydantic, rapidfuzz) listed in scripts/requirements.txt — these runtime needs are not declared in the skill metadata, a small but important mismatch.
Instruction Scope
SKILL.md contains clear, scoped runtime instructions and explicit safety rules (do not auto-apply/outreach without explicit user permission, do not invent profile data, log external actions, verify hh apply success, etc.). The instructions and the code largely stay within job-search behavior; they read/write workspace files and evaluate page DOMs through the browser CLI, which is expected for this skill. There is no instruction to read unrelated system files or to exfiltrate secrets. The one runtime capability to be aware of is DOM/script evaluation in a logged-in browser session: that can observe any page the browser profile is signed into.
!
Install Mechanism
There is no install spec. The repository includes a scripts/requirements.txt and many Python scripts, plus code that calls an external CLI ('openclaw') via shutil.which('openclaw') or defaulting to the name. Without an install section the skill metadata doesn't declare how to install Python dependencies or that the openclaw binary is required. That increases user friction and risk (missing dependencies, unexpected runtime failures) and hides that the skill will attempt browser automation if the binary is present.
Credentials
The skill declares no required environment variables or credentials, and the code does not hard-code any extraneous secrets or remote endpoints beyond expected sources (hh.ru, t.me links, LinkedIn). However the BrowserCli integration implies use of a browser profile (DEFAULT_PROFILE 'chrome-relay') that may be logged into user accounts; the skill will act in that context. While no new credentials are requested, the implicit need for a logged-in browser profile is a sensitive runtime precondition and should be considered a credential-like capability.
Persistence & Privilege
always is false and the skill does not request to persistently enable itself. The code writes and reads project workspace files (PROFILE.md, PIPELINE.md, applications/, logs/) which is expected for a job-hunt workflow. Note: autonomous model invocation is allowed by default — combined with browser automation and any enabled 'controlled auto-apply' or 'outreach-enabled' mode this increases potential impact, but the SKILL.md includes explicit safety rules requiring user permission before automatic submissions or contacting recruiters.
What to consider before installing
This skill appears to implement a coherent job-search toolkit and browser automation for hh.ru, but take these precautions before installing: - Expect to need the 'openclaw' browser CLI on PATH (scripts call it) and to install Python dependencies (pydantic, rapidfuzz). The registry metadata does not declare these requirements — install them yourself or inspect how the environment will be provisioned. - The skill automates a browser profile (default 'chrome-relay') and will run JavaScript in pages. That profile may be logged into your accounts; only use a browser profile you trust and preferably an isolated one. - Review and test in research-only or assisted modes first. Do NOT enable automatic apply/outreach until you audit the code paths and confirm the safety rules are enforced in practice. - Because there is no install spec and the source/homepage are unknown, consider running the code in an isolated environment (VM or container) and review any omitted files before granting access to real accounts or private data. - If you need higher assurance, ask the author for an install script or manifest (declare openclaw requirement and pip requirements) and for a reproducible provenance (source repository URL, owner contact) so you can audit updates.

Like a lobster shell, security has layers — review code before you run it.

latestvk9746nxa6cwchsazypmdqvg7nn838gde

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments